In order to provide a strong custody solution that will be used to store very large amounts of currency, the key used to transfer money is regularly backed up to ensure that money is not irretrievably lost. In more detail, in cryptocurrencies a digital signing key is used to transfer funds, and if this key is lost, the money is all lost. In order to prevent the loss of funds, the signing key needs to be backed up in a secure fashion, as theft of the key would enable the thieves to transfer all of the funds to their own account, in an irreversible fashion. This backup can be achieved by generating a cold-backup public/private key-pair and then encrypting the digital signing private key using the cold-backup public key. The cold-backup private key can be stored in disconnected Hardware Security Modules (HSMs) stored at different locations around the world or in some other very secure way.
In the simple case that a party generates a digital signing key in the standard way, cold backup poses no challenge. However, more advanced solutions use Secure Multiparty Computation (MPC) and threshold cryptography to split the digital signing key into multiple shares and never bring the multiple shares together. Such methods provide strong protection against key theft, and are especially suitable for cryptocurrency custody solutions. In order to understand the challenge in this case, denote by x_1, . . . , x_n the shares of the digital signing private key (where n denotes the number of parties holding shares and x_i denotes the share of the private key held by the ith party). A simple solution is for each party to separately encrypt its share using the cold-backup public key. Then, if the cold-backup public key is somehow lost, the key can be retrieved by decrypting all of the shares (using the cold-backup private key) and running a standard secret sharing reconstruction mechanism. The problem that arises with this solution is that some of these parties may be adversarial and may intentionally encrypt garbage instead of the correct share. If they did this, then it would be impossible to reconstruct the actual private key, resulting in a loss of all funds. As such, this malicious behavior can result in huge financial losses and thus must be protected against.